People under the age of 25 might not remember is so well, but there was a time long ago when the computing world was clouded by an ever-present virus threat. Back before MacBooks became the default laptop, in a simpler, more dangerous time when Microsoft Internet Explorer was the dominant web browser, the internet was a scary place. A couple of wrong clicks could render your computer a war zone of malicious code.

Much of that has changed: web browsers have got a lot safer and Apple’s operating system, always relatively immune to virus issues, became more commonplace. So did smartphones and tablets, which have yet to be hit by big-time virus problems.

That last bit is changing, according to Lookout, a mobile security company. In particular, Google’s Android operating system is vulnerable to malicious programs, thanks to a combination of a lightly-policed app store and an operating system that gives installed applications a large amount of leeway to mess with the underlying system of the phone.

Lookout recently discovered BadNews, a piece of malicious code, or malware, that it says is “a significant development in the evolution of mobile malware.” Running inside dozens of applications being distributed through the Google Play app store, it may have made its way onto at least two million Android mobiles, and potentially up to nine million (well over half a billion Android phones have been sold).

After being notified of the malware, Google removed all the affected apps from its store and suspended the accounts of their developers. The majority of the applications were targeting Russian-speaking users, but some — including a few of the most popular ones — were English-language.

Here’s how Lookout says BadNews works:

BadNews masquerades as an innocent, if somewhat aggressive advertising network. This is one of the first times that we’ve seen a malicious distribution network clearly posing as an ad network. Because it’s challenging to get malicious bad code into Google play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny.

Badnews has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server. BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps.

One such app quietly sends text messages to special phone numbers that charge premium rates. Others push more malware onto an infected phone, which would go on to further infect it. Sometimes it will tell users that an update is available for popular applications like Skype; if they click to download the update, more junk is installed.

The most notable thing about BadNews is the way it pretends to be an advertising network, operating as a kind of Trojan horse. The malicious side of the program isn’t immediately visible, and it’s only when “advertising” is pushed through later on that the bad news of BadNews begins.

The means those overseeing I.T. security at big companies ”must assume that even very well designed app-vetting processes will not be able to detect malicious behavior that hasn’t happened yet,” Lookout says. Instead, ongoing monitoring is needed. (Yes, that is what software like the product Lookout is hawking is designed to do, in case was under the impression the company is spotting mobile malware as a charitable service).

The other notable thing about BadNews? Many have said the battle between Android and Apple’s iOS is reminiscent of the Apple vs Windows war of the 80s and 90s, when Windows proliferated thanks to the dozens of manufacturers able to produce Windows PCs in a rainbow of configurations and price points. The same can be said of Android today.

But there was a dark side of the way Windows dominated the market through the 1990s: the awful security issues that linger to this day. Android’s backers might want to take a Microsoft-style market share, but having Microsoft-style security problems is a much less enticing proposition.

"Oh Dear" is correct. Windows was on 85-90% of computers worldwide. No one was going to write malicious code for apple because no one was using mac OS. That said, I think MS could have done a better job handling the threats against windows during that time. I am an IT pro and I remember the initial onslaught of malware, mostly because of internet explorer. Spyware was rampant and there was hardly a computer in our network that didn't have it on it. Anti-virus was not spyware-aware at the time so we spent a lot of time wiping and reimaging computers.

2:45 pm April 21, 2013

kmn wrote:

Author lost all credibility when he said “before Macbooks became the default laptop”. - From Oh dear which I absolutely agree with.

2:28 pm April 21, 2013

Tim Cookie wrote:

It's not difficult to get malware on iOS devices, just follow some basic rules set forth by Apple and cut them in for 30% of any profits made by your malware (I mean App), done! Oh yea, make sure your App doesn't offend any small but vocal special interest group. Apple will likely cave and censor your App. Happy coding!